Sites down/infected

  • Greetings all! Pardon my ignorance on a lot of this, web development isn’t really my thing, but I try.

    I have two sites that have been knocked completely off-line, the one mentioned and That’s Good Enough For Me.

    Bluehost ran a scan for me, indicating 7 infected files, all of which are some 500.php file. 

    /home2/twdcstud/public_html/glossolalia/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/test/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/tbd/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/co-op/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/comics/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/co-op-forum/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
    Known viruses: 2263445
    Engine version: devel-clamav-0.99-beta1-632-g8a582c7
    Scanned directories: 12535
    Scanned files: 188378
    Infected files: 7
    Data scanned: 8604.30 MB
    Data read: 16902.96 MB (ratio 0.51:1)
    Time: 9355.212 sec (155 m 55 s)

----------- SCAN SUMMARY -----------
    Known viruses: 2263445
    Engine version: devel-clamav-0.99-beta1-632-g8a582c7
    Scanned directories: 0
    Scanned files: 0
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 9.061 sec (0 m 9 s)

----------- SCAN SUMMARY -----------
    Known viruses: 2263445
    Engine version: devel-clamav-0.99-beta1-632-g8a582c7
    Scanned directories: 0
    Scanned files: 570
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 11.584 sec (0 m 11 s)

    Each of those 500.php files have the same content:

    <!-- PHP Wrapper - 500 Server Error -->
<html><head><title>500 Server Error</title></head>
<body bgcolor=white>
<h1>500 Server Error</h1>

A misconfiguration on the server caused a hiccup.
Check the server logs, fix the problem, then try again.
<hr>

<?
echo "URL: https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]<br>\n";
$fixer = "checksuexec ".escapeshellarg($_SERVER[DOCUMENT_ROOT].$_SERVER[REQUEST_URI]);
echo $fixer;
?>

</body></html>

    I’ve read through the FAQ My site was hacked page, but am still a bit unclear on how to proceed.

    Do I delete these 500.php files?

    Any help or advice is greatly appreciated.



    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

  • If you haven’t deleted them already, you should now because you’re giving other hackers a way to target you.

    However, even after you delete them they’ll probably come back because you have some vulnerability somewhere.

    Ys, they need to be removed. And not just the files, but the folders:

    /home2/twdcstud/public_html/glossolalia/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/test/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/tbd/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/co-op/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/comics/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND
    /home2/twdcstud/public_html/co-op-forum/500.php: SL-PHP-EVAL_REQUEST-axog.UNOFFICIAL FOUND

    That said, the likelihood that there is an infection somewhere that will re-build these folders and/or files on the fly is very high.

    You need to remove the infection, plug the hole, and continue to rescan as necessary. The investment into MalCare is well worth it in my experience:

    https://www.ads-software.com/plugins/malcare-security/

    Thread Starter aspleniastudios

    (@aspleniastudios)

    Thanks corrinarusso! I did that and, for the briefest of moments, the Asplenia Studios site was back up, but only the main page, and couldn’t access wp-admin. Now it is down again That’s Good Enough For Me remained down (although it is, technically, an addon domain under Asplenia Studios, so the root problem affecting that is likely trickling down).

    Tolstoy – yep. Hopefully I can sort that out if I can get them back up and running.

    Hi there and thanks for reaching out! Sorry we did not catch this sooner and it does appear that you are still having issues with your sites and we would be happy to take a look for you.

    Malware removal and security for your site and files/content can be a big task, and you will want to ensure that you do it properly, without necessary files or content getting removed in the process. We highly suggest working with a security professional, and there are quite a few options available to you, whether is it a malware or security plugin or a company that you prefer.

    It looks like you have been in communication with our support teams already, but if you would like for us to look into this further to see where we can help troubleshoot or point you in the right direction, please reach out to us via social media here:
    https://www.facebook.com/bluehost
    https://twitter.com/bluehost

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Sites down/infected’ is closed to new replies.